Fortinet black logo

FortiGate-6000 Handbook

Using data interfaces for management traffic

Using data interfaces for management traffic

You can set up in-band management connections to all FortiGate-6000 data interfaces by setting up administrative access for the data interface that you want to use to manage the FortiGate-6000. Connecting to a data interface for management is the same as connecting to one of the management interfaces. For example, you can log in to the GUI or CLI of the FortiGate-6000 management board.

Administrators with VDOM-level access can log into to their VDOM if they connect to a data interface that is in their VDOM.

In-band management limitations

In-band management has the following limitations:

  • In-band management does not support using special port numbers to connect to individual FPCs or the management board. If you have logged in using an in-band management connection, the special management HTTPS port numbers appear on the Security Fabric dashboard widget when you hover over individual FPCs. You can click on an FPC in the Security Fabric dashboard widget and select Login to... to log into the GUI of that FPC. This action creates an out-of-band management connection by crafting a URL that includes the IP address of the FortiGate-6000 mgmt1 plus the special HTTPS port number required to connect to that FPC.
  • The data interfaces must have IPv4 IP addresses, IPv6 in-band management is not supported.
  • In-band management connections to the IP address of a VDOM link interface is not supported.
  • Large (or jumbo) packets from in-band management sessions are fragmented by the FPCs before they are forwarded to the management board.
  • SNMP in-band management is not supported.
  • VRF routes are not applied to outgoing in-band management traffic.
  • Changes made on the fly to administrative access settings are not enforced for in-progress in-band management sessions. The changes apply to new in-band sessions only. For example, if an administrator is using SSH for an in-band management connection and you change the SSH administrative port, that in-band management session can continue. Any out-of-band management sessions would need to be restarted with the new port number. New in-band SSH management sessions need to use the new port number. HTTPS access works the same way, however, HTTPS starts new sessions every time you navigate to a new GUI page. So an on the fly change would affect an HTTPS in-band management session whenever the administrator navigates to a new GUI page.
  • In-band management is not supported for connections to data interfaces that are in a transparent mode VDOM.

Using data interfaces for management traffic

You can set up in-band management connections to all FortiGate-6000 data interfaces by setting up administrative access for the data interface that you want to use to manage the FortiGate-6000. Connecting to a data interface for management is the same as connecting to one of the management interfaces. For example, you can log in to the GUI or CLI of the FortiGate-6000 management board.

Administrators with VDOM-level access can log into to their VDOM if they connect to a data interface that is in their VDOM.

In-band management limitations

In-band management has the following limitations:

  • In-band management does not support using special port numbers to connect to individual FPCs or the management board. If you have logged in using an in-band management connection, the special management HTTPS port numbers appear on the Security Fabric dashboard widget when you hover over individual FPCs. You can click on an FPC in the Security Fabric dashboard widget and select Login to... to log into the GUI of that FPC. This action creates an out-of-band management connection by crafting a URL that includes the IP address of the FortiGate-6000 mgmt1 plus the special HTTPS port number required to connect to that FPC.
  • The data interfaces must have IPv4 IP addresses, IPv6 in-band management is not supported.
  • In-band management connections to the IP address of a VDOM link interface is not supported.
  • Large (or jumbo) packets from in-band management sessions are fragmented by the FPCs before they are forwarded to the management board.
  • SNMP in-band management is not supported.
  • VRF routes are not applied to outgoing in-band management traffic.
  • Changes made on the fly to administrative access settings are not enforced for in-progress in-band management sessions. The changes apply to new in-band sessions only. For example, if an administrator is using SSH for an in-band management connection and you change the SSH administrative port, that in-band management session can continue. Any out-of-band management sessions would need to be restarted with the new port number. New in-band SSH management sessions need to use the new port number. HTTPS access works the same way, however, HTTPS starts new sessions every time you navigate to a new GUI page. So an on the fly change would affect an HTTPS in-band management session whenever the administrator navigates to a new GUI page.
  • In-band management is not supported for connections to data interfaces that are in a transparent mode VDOM.